Refresh PMK every X seconds – Cisco ISE and Meraki

Andrew CheremisovCisco ISE, Security, WirelessLeave a Comment

One of our clients requested to refresh PMK (more about PMK) every 5 minutes during deployment of Cisco ISE and Meraki solution.
Create new Authorization Profile in Cisco ISE (Policy – Policy Elements – Results – Authorization Profile)

–Reauthentication—To choose, select the check box and enter a value in seconds for maintaining connectivity during reauthentication. You can also choose attribute values from the Timer drop-down list. You choose to maintain connectivity during reauthentication by selecting to use either the default (a value of 0) or RADIUS-Request (a value of 1) from the drop-down list. Setting this to the RADIUS-Request value maintains connectivity during the reauthentication process.

Creating and Configuring Permissions for a New Standard Authorization Profile

Associate your new AuthZ profile with 802.1x policy. Done!

How to test?

  1. Check your Live Logs panel (Operations – RADIUS – Live Logs). You should be able to see authorization roughly every 45 seconds.

  2. Capture traffic at your Meraki AP.
    Use filter expression “port 1812 or port 1813 or port 3799” to capture only RADIUS traffic.

    The result of our packet capture. RADIUS Access-Request every 45 seconds

Leave a Reply

Your email address will not be published. Required fields are marked *